> I don't know how you can get from needing a simple filter to not needing > a filter... > A simple example would be; as per spec, SL is blocked at the border, > globals are allowed without restriction, and hosts that are allowed out > have a policy that allows them to configure a global prefix along with > the SL one, while those that are not allowed out have a policy that only > allows configuring an SL prefix. Address selection says use the smallest > scope, so internal communications use SL and are forced to stay internal > by the hard filter at the border. This puts the burden of policy > application at the address assignment time (very infrequent) rather than > parsing every packet for access control.
this is not workable for several reasons. first, it expects apps to work across site boundaries betwen hosts that use SLs. that's simply unacceptable. second, it's not secure without filtering. third, address selection is not a policy mechanism, it is a default behavior, that applications are free to ignore - and there are many cases where it's highly desirable that they do so. fourth, the idea that address selection for internal communications does not affect external communications is naive. > You are trying to legislate against current practice, rather than > documenting it so that app developers can understand the real > environment. You are trying to force a practice that is known to be broken, and the burden of trying to make apps work in the face of that broken practice, on everyone. There is no way that this can be justified. Keith -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
